gss_accept_sec_context(3) Library Functions Manual gss_accept_sec_context(3)
NAME
gss_accept_sec_context() - establish a security context between the application and a context acceptor
SYNOPSIS
DESCRIPTION
The routine is the second step in establishing a security context between the context initiator and a context acceptor. In the first step,
the context initiator calls the routine. The routine generates a token for the security context and passes it to the context initiator.
The context initiator sends the token to the context acceptor.
In the second step, the context acceptor accepts the call from the context initiator and calls the routine. The routine expects a value
for the input_token parameter. The value for the input_token parameter is generated by the routine and passed by the initiator to the
acceptor.
The routine can also return a value for the output_token parameter. The context acceptor presents the token to the routine. If the accep-
tor does not need to send a token to the initiator, sets the length field of the output_token parameter to 0 (zero).
To complete establishing the context, the context initiator can require one or more reply tokens from the context acceptor. If the appli-
cation requires reply tokens, the routine returns a status value containing The application calls the routine again when the reply token is
received from the context acceptor. The application passes the token to the routine via the output_token parameters.
The values returned using the src_name, ret_flags, time_rec, and delegated_cred_handle parameters are not defined unless the routine
returns the status,
Input Parameters
acceptor_cred_handle Specifies the credential handle (the identity) claimed by the context acceptor. This is optional information. The
credential must be either an ACCEPT type credential or a BOTH type credential. Specify to accept the context as
default principal
input_token_buffer Specifies the token received from the context acceptor.
input_chan_bindings Specifies bindings supplied by the context initiator. Allows the context initiator to bind the channel identifica-
tion information securely to the security context. If no channel bindings are used, specify
Input/Output Parameters
context_handle Specifies a context handle for a new context. The first time the context initiator uses the routine, specify to set
up a specific context. In subsequent calls, use the value returned by this parameter.
Output Parameters
src_name Returns the authenticated name of the context initiator. This information is optional. If the authenticated name is
not required, specify NULL. To deallocate the authenticated name, pass it to the routine.
actual_mech_type Actual mechanism used. Specify NULL if not required.
output_token Returns a token to pass to the context acceptor. If no token is to be passed to the context acceptor, the routine
sets the length field of the returned token buffer to 0 (zero).
ret_flags Returns a bitmask containing six independent flags, each of which requests that the context support a service option.
The following symbolic names are provided to correspond to each flag. The symbolic names should be logically ANDed
with the value of ret_flags to test whether the context supports the service option.
The True/False values are:
True Delegated credentials are available from the delegated_cred_handle parameter.
False No credentials were delegated.
The True/False values are:
True The context acceptor requested mutual authentication.
False The context acceptor did not request mutual authentication.
The True/False values are:
True Replayed signed or sealed messages will be detected.
False Replayed messages will not be detected.
The True/False values are:
True Out-of-sequence signed or sealed messages will be detected.
False Out-of-sequence signed or sealed messages will not be detected.
The True/False values are:
True Confidentiality services are available by calling the routine.
False Confidentiality services are not available. However, the application can call the routine to provide
message encapsulation, data-origin authentication, and integrity services.
The True/False values are:
True Integrity services can be invoked by calling either the or routine.
False Integrity services for individual messages are not available.
The True/False values are:
True The initiator's identity has not been revealed, and will not be revealed if any emitted token is passed
to the acceptor.
False The initiator's identity has been or will be authenticated normally.
The True/False values are:
True Protection services (as specified by the states of the and are available for use if the accompanying
major status return value is either or
False Protection services (as specified by the states of the and are available only if the accompanying major
status return value is
The True/False values are:
True The resultant security context may be transferred to other processes via a call to
False The security context is not transferable.
time_rec Returns the number of seconds for which the context remains valid. This is optional information. If the time is not
required, specify NULL.
delegated_cred_handle Returns the credential handle for credentials received from the context initiator. The credential handle is valid
only if delegated credentials are available. If the ret_flags parameter is true, the flag s set, indicating that
delegated credentials are available.
minor_status Returns a status code from the security mechanism.
STATUS CODES
The following status codes can be returned:
The routine was completed successfully.
The input_token parameter contains different channel bindings from those specified with the input_chan_bindings param-
eter.
The input_token parameter contains an invalid signature.
To complete the context, the
routine must be called again with a token required from the context acceptor.
The referenced credentials have expired.
Consistency checks performed on the
credential failed.
Consistency checks performed on the
input_token parameter failed.
The input_token parameter was already processed. This is a fatal error that occurs during context establishment.
The routine failed. See the
minor_status parameter return value for more information.
The supplied context handle did not refer to a valid context.
Indicates either the supplied credentials were not valid for context
acceptance or the credential handle did not reference any credentials.
The input_token parameter was too old. This is a fatal error that occurs during context establishment.
The received token specified a mechanism that is not supported
AUTHOR
was developed by Sun Microsystems, Inc.
SEE ALSO
gss_acquire_cred(3), gss_delete_sec_context(3), gss_init_sec_context(3).
The manpages for DCE-GSSAPI are included with the DCE-CoreTools product. To see those manpages add to
gss_accept_sec_context(3)